Android, Nokia and BlackBerry users, your every key press is being tracked, claims Connecticut systems administrator Trevor Eckhart. Eckhart said as much recently, raising quite the ruckus, but this time he’s back with a 17 minute video demonstrating on an HTC Android phone precisely how it works—that is, how sequestered tracking software running on millions of smartphones from a company called Carrier IQ is quietly registering every key press.
In the video, Eckhart illustrates how an application called iqagent “must be running,” and that it’s been given “a pretty extensive list of permissions…everything from calling phone numbers, stuff that costs us money, sending text messages, reading text messages, getting our location, recording audio…all sorts of stuff.” Eckhart then shows how the software registers every button press on the phone, be it physical—from the home button to the volume controls—or something on-screen.
(MORE: Samsung Accused of Installing Keyloggers on Laptops)
Carrier IQ calls what it does “mobile service intelligence.” Others might call it “keystroke monitoring software,” or even “upsetting” and “disturbing.” Whatever the case, it’s very real, intentionally installed and used to register every smartphone-related interaction, from simple screen taps and swipes to full-on email and texting. Eckhart dubs Carrier IQ’s app a “root kit” (a set of software tools that allow someone to access a computer system without being detected) for which Carrier IQ threatened a legal salvo. Eckhart appeared to defang that threat when the Electronic Frontier Foundation got involved last week.
Is this data being gathered for the benefit of users somehow? Is any of the data secretly transmitted back to carriers or sent elsewhere? It’s not clear at this point–Wired claims yes, but I’m not seeing verification of actual transmission in the video up top. Carrier IQ, for its part, issued a press statement a few weeks ago admitting it was “counting and measuring operational information in mobile devices – feature phones, smartphones and tablets,” but stressed that it was “not recording keystrokes or providing tracking tools.”
Semantic wrangling notwithstanding, Eckhart’s video appears to refute Carrier IQ’s claims that it’s “not recording keystrokes,” unless by “recording” Carrier IQ means it’s not storing the information anywhere. Eckhart’s video shows how the keystrokes are captured, but doesn’t reveal whether or where they’re being stored or transmitted.
Carrier IQ claims the information it’s gathering is “a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience.”
Whatever the case, it sounds like this should have been disclosed, that customers ought to be given the option to “opt out,” and that it needs to be made crystal clear that nothing–absolutely nothing–is being transmitted back to the carrier without a user’s explicit permission (and no, slipping it into a mountain of legalese in a use agreement at startup won’t wash). If Carrier IQ or the carriers it’s partnered with have a problem with any of that, let’s see how long their position holds up in court.
MORE: High School Hacker Pleads Guilty to Spyware Hijinks
Matt Peckham is a reporter at TIME. Find him on Twitter at @mattpeckham or on Facebook. You can also continue the discussion on TIME’s Facebook page and on Twitter at @TIME.